mirror of
https://github.com/janeczku/calibre-web
synced 2024-11-28 04:19:59 +00:00
Add mime_type checks on file uploads
This commit is contained in:
parent
014a247847
commit
7eece7603b
@ -23,6 +23,7 @@
|
||||
import os
|
||||
from datetime import datetime
|
||||
import json
|
||||
import magic
|
||||
from shutil import copyfile
|
||||
from uuid import uuid4
|
||||
from markupsafe import escape, Markup # dependency of flask
|
||||
@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
|
||||
flash(_("File %(filename)s could not saved to temp dir",
|
||||
filename=requested_file.filename), category="error")
|
||||
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
|
||||
except (Exception):
|
||||
flash(_("File is not allowed to be uploaded to this server",
|
||||
filename=requested_file.filename), category="error")
|
||||
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
|
||||
return meta, None
|
||||
|
||||
|
||||
|
@ -19,6 +19,9 @@
|
||||
from tempfile import gettempdir
|
||||
import os
|
||||
import shutil
|
||||
import magic
|
||||
import zipfile
|
||||
from . import constants
|
||||
|
||||
def get_temp_dir():
|
||||
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
||||
@ -30,3 +33,19 @@ def get_temp_dir():
|
||||
def del_temp_dir():
|
||||
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
||||
shutil.rmtree(tmp_dir)
|
||||
|
||||
def validate_mime_type(tmp_file_path):
|
||||
mime = magic.Magic(mime=True)
|
||||
tmp_mime_type = mime.from_file(tmp_file_path)
|
||||
if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
|
||||
return True
|
||||
# Some epubs show up as zip mimetypes
|
||||
elif "zip" in tmp_mime_type:
|
||||
try:
|
||||
with zipfile.ZipFile(tmp_file_path, 'r') as epub:
|
||||
if "mimetype" in epub.namelist():
|
||||
return True
|
||||
except:
|
||||
pass
|
||||
|
||||
raise Exception("Forbidden MIME type to upload")
|
||||
|
@ -23,7 +23,7 @@ from flask_babel import gettext as _
|
||||
from . import logger, comic, isoLanguages
|
||||
from .constants import BookMeta
|
||||
from .helper import split_authors
|
||||
from .file_helper import get_temp_dir
|
||||
from .file_helper import get_temp_dir, validate_mime_type
|
||||
|
||||
log = logger.create()
|
||||
|
||||
@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
|
||||
meta = meta._replace(title=original_file_name)
|
||||
if not meta.author.strip() or meta.author.lower() == 'unknown':
|
||||
meta = meta._replace(author=_('Unknown'))
|
||||
return meta
|
||||
if validate_mime_type(tmp_file_path):
|
||||
return meta
|
||||
|
||||
|
||||
def default_meta(tmp_file_path, original_file_name, original_file_extension):
|
||||
|
Loading…
Reference in New Issue
Block a user